STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP Advanced Firewall Manager Security Technical Implementation Guide

V-214499

CAT I (High)

The BIG-IP AFM module must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Rule ID

SV-214499r395868_rule

STIG

F5 BIG-IP Advanced Firewall Manager Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-001414

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. This requirement applies to the flow of information between the Application Layer Gateway (ALG) when used as a gateway or boundary device which allows traffic flow between interconnected networks of differing security policies. The ALG installed and configured in such a way that restricts or blocks information flows based on guidance in the Ports, Protocols, & Services (PPSM) regarding restrictions for boundary crossing for ports, protocols, and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. The ALGs must be configured with policy filters (e.g., security policy, rules, and/or signatures) that restrict or block information system services; provide a packet filtering capability based on header information; and/or perform message filtering based on message content. The policy filters used depend upon the type of application gateway (e.g., web, email, or TLS).

Check Content

If the BIG-IP AFM module is not used to support user access control intermediary services for virtual servers, this is not applicable.

Verify the BIG-IP AFM module is configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Navigate to the BIG-IP System manager >> Security >> Network Firewall >> Active Rules.

Verify an active rule is configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

If the BIG-IP AFM module is not configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.

Fix Text

If the BIG-IP AFM module is used to support user access control intermediary services for virtual servers, configure the BIG-IP AFM module to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.